Customize your Duo experience by changing global settings in the Duo Admin Panel.
To access the Duo Admin Panel:
Navigate to Duo Admin Panel.
Enter your Duo administrator account credentials.
Complete two-factor authentication.
See Accessing the Duo Admin Panel for detailed Duo Admin Panel login instructions.
The browser used to access the Duo Admin Panel must support TLS 1.2, which most modern browsers do by default. If you have issues accessing the site, please update your browser to a recent version of Chrome, Firefox, Edge, Safari, etc. or check your browser’s SSL implementation here: https://www.ssllabs.com.
Duo no longer supports use of Internet Explorer to access the Admin Panel. Microsoft ended Internet Explorer desktop application support on June 15, 2022. Please use one of Duo's supported browsers.
Role required: Owner or Administrator (Billing role may not access the Settings page, other roles may view but not modify settings).
Administrators may use the Settings page in the Duo Admin Panel to customize global options, like custom branding. To access these features, log in to the Duo Admin Panel and click Settings on the left.
Once on the "Settings" page, use the left side navigation to access different sections on the page. Be sure to click the Save Changes button at the top of the page after updating any settings.
Your Account ID is a unique identifier for your Duo customer account. You may be asked to provide this if you contact Duo Support.
The Account Name specified here will be displayed in your Duo Admin Panel, and seen by your users during enrollment and via browser in Duo's traditional prompt, as well as shown in the Duo Mobile app.
The Country/region and Preferred timezone selections apply to most dates and timestamps in the Duo Admin Panel.
The Country/region selection also determines the default country code shown for phone enrollments in the traditional prompt only. The Universal Prompt does not use this setting during phone enrollment.
Duo Beyond, Duo Access, and Duo MFA customers: change language options in User Communication settings.
Changing the Language setting from English to French or German causes end-user interactions with Duo's service to use the chosen language. This includes the browser-based traditional Duo Prompt, Duo Mobile activation and SMS passcode text messages, and phone call authentication. This setting is global; users experience the selected language in the traditional authentication prompt no matter their actual location.
Duo Beyond, Duo Access, and Duo MFA customers: change logo and Duo branding options in Custom Branding settings.
Duo Free customers may upload a Logo image in the General settings, which is shown to users in both the Duo traditional and Universal Prompt during enrollment and authentication. The logo image must be in PNG format and not exceed 500 by 500 pixels and 200 KB. We recommend a 304 by 304 pixel logo image with a transparent background for the best results.
As an example, if you upload a company logo and change the account name to "Acme Corp" like so:
The account appears in Duo Mobile as follows:
The company logo you update here is also shown in the Duo Prompt.
The Duo authentication prompt displays the text "Secured by Duo" by default (formerly "Powered by Duo Security"). To remove this statement from your authentication prompt, Duo Free customers should clear the Duo branding General settings option.
Duo MFA, Access, and Beyond plan customers can customize the user authentication experience with a background image, logo, and accent color.
The custom branding background and accent color options affect the look and feel of the Universal Prompt for two-factor authentication, the Duo Single Sign-On (SSO) login page, and Duo Passwordless, while the logo and Duo branding selections apply to all applications that show the Duo traditional prompt or Universal Prompt in a browser. None of the custom branding options have any effect on the end-user experience for applications that do not show the Duo prompt in a browser, such as Duo Authentication for Windows Logon or Duo Unix, or LDAP and most RADIUS applications which use Duo Authentication Proxy.
|Branding Option||Universal Prompt||Traditional Prompt||Duo SSO||Duo Mobile||Non-Browser Apps|
|Test with some users||Yes||No||No||No||No|
Duo's default custom branding features the Duo logo, with a blue accent and no background image. You can customize each of the branding options as follows:
Logo: Drag and drop your logo image file into the space provided, or use the Select file... button to browse to your logo image. The logo image must be in PNG format and not exceed 500 by 500 pixels and 200 KB. We recommend a logo image with a transparent background for the best results. Your logo displays in Duo user interfaces at maximum dimensions of 192 by 48 pixels.
Accent Color: Use the selector to choose your accent color or type in a hex color code. This alters the solid stripe of color shown at the top of the Duo interactive browser interface. The accent color shown in Duo Mobile does not use this value, and is instead chosen by the app to complement your logo.
Background: Use the color selector or upload an image to serve as the background shown behind the Duo interactive browser interface. If you opt for an image, drag and drop your file into the space provided, or use the Select file... button to browse to and select it. If you upload a transparent background image, the background color shows behind that image.
Background images must be in PNG format no larger than 3 MB and 3840 by 2160 pixels. We recommend a 1280 by 800 pixel image for the best results.
Duo branding: The Duo interactive browser interfaces show the text "Secured by Duo" by default (formerly "Powered by Duo Security"). Clear this option to remove this statement.
As you make changes to the branding options, the Draft branding area shows a preview of your customized user experience. At any point you can click Discard changes to revert your selections back to the default values.
Your customization won't take effect until you publish the change. Choose from these Publishing options:
Save draft - Save the branding customizations but do not apply them to user logins. Your users continue experiencing the "Current branding" live settings.
Test with some users - Select individual Duo users who will experience the new custom branding. When they log in to web-based applications that have Universal Prompt activated those target users see the new customization. Users not selected for testing continue to see the "Current branding" live settings. Duo Single Sign-On and the traditional prompt will not show the updated logo and Duo branding text customizations to those selected users, and will instead show the customizations previously published to everyone.
Publish to everyone - Choose this option to make your branding changes effective for everyone. All users see the new custom branding when logging in to Duo Single Sign-On or other web-based applications if they have Universal Prompt activated. Duo's traditional prompt shows the updated logo and Duo branding text customizations to all users of web-based applications.
Click Save Changes to apply your selected custom branding publishing option.
When published, this is how the branding settings from the example above (logo, colors, background, and Duo branding) look across the Duo products that support customization.
|Universal Prompt||Duo Single Sign-On||Duo Traditional Prompt||Duo Mobile|
Duo's Admin API supports programmatic configuration of custom branding options. See the Admin API reference for more information.
Watch this video for an overview of the custom branding configuration and experience.
Changing the Language setting from English to French or German causes end-user interactions with Duo's service to use the chosen language. This includes the browser-based traditional Duo Prompt, Duo Mobile activation and SMS passcode text messages, phone call authentication. This setting is global; users experience the selected language in the traditional authentication prompt no matter their actual location.
This language selection also determines the help desk custom message translation shown in the traditional prompt and the Duo Device Health App. If you want a customized message shown to users in the language you select here, be sure to also enter a translated message for that language in the custom message setting.
The Duo Universal Prompt does not use this global language setting, and instead defers to the user's preferred browser language setting of English, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Hindi, Indonesian, Italian, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Spanish (Latin America), Spanish (Spain), Swedish, Thai, Turkish, or Vietnamese for prompt UI text, Duo Mobile activation, and SMS passcode text messages.
Customize the help message shown to your users in the Duo browser prompt and Device Health App. Use this field to provide instructions to your users, such as directing them to call or email your organization's support group.
Enter text up to 200 characters; HTML formatting or hyperlinks are not allowed in this message text. You may also add up to two clickable help links in the "Links" area. These URLs must start with
https. These links only show in the Universal Prompt's help message.
The first translation language shown matches your selection for the "Default Language", and the text you enter here will be shown in the following user interfaces:
Duo Universal Prompt authentication when a user clicks the "Need help?" link at the bottom of the prompt. The Universal Prompt shows the custom message text and the custom links as hyperlinks to external sites.
Duo traditional prompt authentication, enrollment, and device management shows the custom message (but not the links) when a user clicks the "Need help?" link on the left side of the prompt.
Duo Access and Beyond customers using the Device Health application also see the custom message text in the "Need Help?" area of the installed app.
You can add translations of your custom help message in different languages. Any additional translations added after the first one show up in the Duo Universal Prompt only (no other user interface) when the user's preferred language set in their browser is one of Duo's supported languages (Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch, Finnish, French, German, Hindi, Indonesian, Italian, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese (Portugal), Spanish (Latin America), Spanish (Spain), Swedish, Thai, Turkish, or Vietnamese) and you have defined a translation for that language.
To add additional translations of the custom message for the Universal Prompt, click Add translation, select the desired language from the drop-down, and enter the text for that language. Click the trash can icon to remove any of the translations after the first one.
Both the default language and the first translation default to English. If you change the default language to French or German, then the custom message translations automatically sort the matching language to the first translation.
The "Enrollment Email" setting lets you customize the message sent to users imported from into Duo via Active Directory, OpenLDAP, or Azure when the synced directory has the "Send enrollment email to synced users" option enabled. You can choose to include your company logo in the email, which is the same logo image you uploaded in the General or Custom Branding section of the Settings page.
You can also set your "Enrollment experience" to show the traditional prompt or Universal Prompt. Once you have changed this setting, any new enrollment links will be directed to your chosen enrollment experience. For customers who signed up before July 2022, the default is set to show the traditional prompt. For customers who signed up during or after July 2022, the default is set to show the Universal Prompt.
The sent message will have a non-editable header added, informing the user it's an automated message sent by Duo and to contact their organization's Duo admins or IT support group with any questions.
Control specific privileges for Duo administrators with a non-Owner role.
By default, Duo administrators with the User Manager role may apply any of the user status options to a user. Applying "Bypass" status to a user allows that user to skip two-factor authentication when logging in to Duo-protected applications.
Disable the Allow admins with User Manager role to put users in bypass status setting to prevent User Managers from applying "Bypass" status to users
User Managers will still be able to change a user's status from "Bypass" to "Active" or "Disabled" with this restriction in place.
A bypass code is a passcode created as a backup authentication factor when a user's enrolled devices aren't available. Duo admins with the Owner, Administrator, User Manager, or Help Desk roles may create bypass codes for end users.
You may optionally restrict your Help Desk admins' ability to customize bypass codes with the Do not allow admins with the Help Desk role to customize bypass codes setting. Enabling this hides all customization options from the Help Desk, and any bypass codes they create are valid for the number of minutes or uses you specify here.
Prevent your Help Desk admins from issuing bypass codes entirely by enabling the Do not allow admins with the Help Desk role to create bypass codes option under Help Desk settings.
A user who exists in Duo but has yet to register any two-factor authentication devices must complete enrollment before they can log in to a Duo-protected service or application with 2FA. If your application does not permit inline self-enrollment, Duo administrators with the Owner, Administrator, or User Manager roles can send (or resend) an enrollment email to the user from the Admin Panel.
To permit Duo admins with the Help Desk role to send enrollment emails to users from the Admin Panel as well, enable the Allow admins with Help Desk role to send enrollment emails option under Help Desk settings.
In the "Phone Calls" section of the Settings page you can customize your users' experience of callback-based second-factor authentication. Set the "Outgoing caller ID" so that automated calls from Duo appear to come from a specific number within your organization (such as main reception or tech support).
Duo's telephony provider partners recognize Duo's callback numbers as legitimate. Be aware that customizing this number from the Duo defaults may cause telephony providers to flag your number as fraudulent and result in failed user authentications.
The default setting allows users to press any key to approve an authentication request. You can customize which keys may be used for authentication approval or reporting fraudulent requests in the "Phone callback keys" section.
In the "SMS Passcodes" section of the Settings page, admins can customize settings related to delivery of Duo SMS text messages to phones.
Customize the message sent to users with SMS passcodes by editing the "SMS message prefix" with your custom text. Anything that is not plain text, like a URL, is stripped from the resulting messages.
Use "SMS batch size" to customize the number of passcodes sent in each batch, up to 10. For additional security, SMS passcodes can be set to expire after a set time with the "SMS expiration" setting.
A new batch can be automatically sent after the last passcode is used or expires, so users are never without an authentication passcode.
Note that when a user requests a SMS passcode from the Universal Prompt it sends a single passcode in the SMS message, regardless of the batch size you set here.
These settings do not affect passcodes used by Duo administrators to log into the Admin Panel.
In the "Lockout and Fraud" section of this page, you can specify who to email when a user authentication is reported as fraudulent or when a user's login failures trigger a lockout with the "Fraud Notification Email" setting.
The default selection Notify all admins sends an email to all Duo administrators at each user lockout. Use the Notify specific email address field to limit which Duo administrators receive lockout notifications or to specify a distribution list. Lockout events trigger no emails with the Do not notify option enabled.
You can also adjust the number of consecutive failed authentication attempts allowed before the user's account is locked out to prevent brute force attacks with the "Failed attempts" setting. The user lockout counter increments after each failed authentication attempt (such as push timeout or incorrect passcode entered). The default lockout threshold is ten failed attempts.
Select the Revert user status to Active after _ minutes option if you want a locked-out Duo user automatically moved back to "Active" status after the specified amount of time. Otherwise, locked-out users may not log in until you manually change that user's status from "Locked Out" to "Active" or "Bypass".
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking their username. You will see the user's current status in the "Status" section of the user properties page:
Re-enable the user by selecting the desired status, then scroll down and click the Save Changes button.
Enabling the "Anomaly Detection" setting provides enhanced protection from fraudulent authentication requests for Duo Mobile users. Check the box next to Block anomalous Duo Push attempts to activate this option. Anomaly detection prevents Duo Mobile from receiving multiple push requests per user within a short period of time. Users will need to wait one minute before requesting another Duo Push. Authentication Log entries alert administrators to the behavior. Customers who have created automation leveraging two-factor authentication should add delays to their process to avoid triggering anomaly detection.
These settings do not apply to Duo administrator accounts. Learn more about administrator lockout here.
Duo's telephony usage includes activation and authentication SMS messages and authentication phone calls for both end users and Duo administrators. Duo debits your telephony credit balance for each authentication call or SMS message sent (as per the rate card). Paid accounts are issued credits yearly, and may purchase extra telephony credits as needed. Duo Free accounts do not receive automatic credit refills, but may purchase additional telephony credits.
If you ever exhaust your telephony credit balance, your users will not be able to receive authentication phone calls or text messages. To avoid this, Duo automatically notifies all account administrators when the credit balance falls below 20% of your recurring telephony credits allowance, or below 100 credits if you do not have an allowance.
You can configure the credit balance email alert to send notifications at a custom threshold in the "Telephony Credits" section of the settings page. Change the "Low-credit alerts" option to Alert when account has fewer than _ credits and enter a number in the blank to change when the alert gets triggered.
You can also change the low-credit alert email recipient by entering an email address in the Low credit alert email field. If no email is specified then all Duo administrators receive the low-credit alert email.
The rate card shows how many credits each SMS message or telephone call consumes per country. By default, Duo restricts the maximum telephony credits used per transaction to 20 credits. If your users are in locations with more expensive telephony rates you can increase the 20 credit maximum. Conversely, if you know that telephony rates for your users should never exceed a certain amount you may reduce the maximum allowed credits below 20. To raise or lower the maximum credit usage per user authentication, enter the desired number in the Max credits per action box.
Since Duo is licensed on a per-user basis, you are charged based on the number of users you have in Duo, regardless of their activity. Duo's default behavior with regard to inactive accounts is to do nothing. Admins may choose to automatically remove inactive users from Duo after a set period. To do this, click the radio button next to Send users to the trash after a set period of inactivity and enter the maximum number of days an inactive user will be permitted to remain in Duo (up to 365). The number of inactive days is calculated from the last successful Duo authentication. Failed authentication attempts do not reset the inactivity counter.
If this option is enabled, Duo moves users who do not successfully authenticate for the specified number of days into the "Trash" with a "pending deletion" status as part of a daily process.
You can customize how long a user has a "pending deletion" status by changing the number in Permanently delete users from trash after __ days next to "Trash duration". This can be between 1 to 30 days, the default is 7 days. After the number of days specified in the Trash duration has passed, the user is permanently deleted from Duo.
If you enable user deletion and set the maximum number of inactive days to 90, then going forward, any user whose inactivity counter reaches 90 days will also be put into the Trash for the specified Trash duration, and then permanently deleted at the end of the Trash period. The inactivity counter for a user starts after the setting is enabled.
A user may not log in with Duo while their Duo account is pending deletion. At any time before the Trash duration ends you may restore the user from the Trash. Restoring a user account from the Trash doesn't change the user's status; you'll need to update the user's status back to "active" or "bypass" before they can log in.
If you restore the user account but the user still does not log in to Duo, then the account will be sent to the Trash once again for inactivity.
A user deleted by the system for inactivity will need to re-enroll in Duo in order to authenticate again.
User deletion doesn't apply to users managed by Directory Sync. Those users remain in Duo as long as they're present in the source directory groups selected in your directory sync configuration. When you remove users from all groups you've synced to Duo in the source directory, the next scheduled sync places those users into the Trash for the Trash duration.
The Duo Mobile app's Security Checkup feature checks and reports on a user's iOS or Android device security hygiene in the application itself. Potential device security issues, like an outdated operating system or lack of screen lock, are flagged within Duo Mobile for action by the user. The Security Checkup is enabled by default. You can change this on the Settings page.
Security Checkup always verifies device settings against Duo's recommended security settings, regardless of any authentication device policy settings you've created. For instance, Security Checkup flags rooted status on an Android device whether you've enabled a policy that blocks authentication from rooted or jailbroken devices or not.
Security Checkup doesn't block users from authenticating if it does find any issues with a user's phone. Be sure to implement Duo policy restrictions to prevent access and authentication for users with device security issues.
With Security Checkup enabled, Duo Mobile checks these device attributes:
Security Checkup notifies users about detected issues via a pop-up at the bottom of the app screen, which they can tap to see more information. End users can always view their device's security posture from within the Duo Mobile app. On iOS go to Menu → Security Checkup and on Android go to Menu → Settings → Security Checkup.
Example: Android device with all recommended settings
Example: iOS device without all recommended settings
Duo Mobile collects usage analytics and crash reporting information that we use to improve our service. Individual end users may opt-out of sending usage data at any time from within the Duo Mobile app's settings. Learn more about what information Duo collects and how we use it.
You can disable Duo Mobile usage analytics and crash reporting collection at an organizational level by changing the "Usage Analytics" setting to Do not allow Duo Mobile to collect usage data. This change becomes effective the next time a user opens Duo Mobile.
Instant Restore enables account recovery of "Duo-Protected" accounts (accounts used to approve logins for Duo-protected applications and services) and "Duo Admin" administrator login accounts when a Duo Mobile user gets a new iOS or Android device. To enable it, select Allow Instant Restore for Duo Mobile on Android and iOS. Then, instruct your iOS users to ensure that iCloud Keychain is enabled on the iOS devices where they use Duo Mobile. Android users should toggle on the Backup accounts with Google Drive option in Duo Mobile and follow the in-app prompts to connect to Google Drive to store their app backup.
You can export user activity logs for Instant Restore as a CSV file by clicking the Export button.
When users with account backups open Duo Mobile on their new device, they can tap Get My Account Back to begin the Instant Restore process. Android users must have their old device available to scan a QR code generated on that device to transfer the information to the new device.
iOS users don't need their old device available to complete the restore, but we do push a restore notification to the old phone. If the user did indicates they did not initiate the restore action, Duo deactivates both the old and the new iOS devices and emails the Duo administrators configured to receive Lockout and Fraud alert emails.
Successful Instant Restore deactivates the "Duo-Protected" and "Duo Admin" accounts on the old device.
Note that Instant Restore does not restore third-party OTP accounts in Duo Mobile nor deactivate third-party accounts on the old device. Users should still enable third-party account recovery in Duo Mobile to restore third-party OTP accounts with a recovery password.
Users who leave your organization still retain the Duo Mobile account backups until they delete the accounts or remove the backup. Disabling/deleting the user's account in Duo as part of your offboarding process prevents use of any restored Duo Mobile accounts, as they will remain disconnected.
Instant Restore requires Duo Mobile for Android 3.32.0 or later and Duo Mobile for iOS 3.33.0 or later.
Duo Restore for the Duo Mobile app is a legacy recovery implementation that gives your end users the ability to backup Duo account information from the Duo Mobile app to Google Drive (Android devices) or iCloud (iOS devices). They can use this saved backup information to recover those Duo accounts to a replacement device of the same platform as the original backup via accessing a designated Duo-protected application.
Duo Restore differs from the self-service portal feature as follows:
When enabling Duo Restore, you'll designate a specific Duo-protected application to use with this feature. Users need to perform primary authentication as required by that designated application, plus Duo authentication using any other factor available to them, such as phone call approval, a hard token or SMS passcode, an administrator-issued bypass code, etc. As such, we don't recommend selecting an application to use with Duo Restore that also has an authentication methods policy applied which restricts use of factors other than Duo Push, as this prevents user recovery of accounts using Duo Restore to a new device unless your users typically have a second device already activated for Duo Push.
To enable Duo Restore:
Once you enable Duo Restore your end users can avail themselves of the Duo Mobile app's account recovery options after installation on a new device. Successful Duo Restore deactivates the "Duo-Protected" and "Duo Admin" accounts on the old device.
To learn more about the Duo Restore experience for end users, see the Duo Restore page in the end-user guide.
Please note that Duo's app account backup and restore will not restore any third-party service accounts (where users scanned a QR code to enable 2FA on an external service like Facebook or Twitter) to a replacement device. After completing Duo Restore on a new device, a user needs to manually reactivate the Duo app for any third-party services. Note that an iOS user who backs up their device to iCloud can restore both Duo and third-party accounts to the same device. This is not possible for Android devices.
Neither Instant Restore nor Duo Restore restore third-party OTP accounts. Be sure to advise your users to set up backups for these third-party accounts in Duo Mobile no matter which Duo account restore option you choose for your organization. Additionally, ensure that users are aware that while restoring Duo-protected and Duo admin accounts to a new device deactivates those accounts on the old device, restoring third-party accounts to a new device does not deactivate those OTP accounts on the old one, so the old device could still be used to generate login passcodes for those third-party services. The user should delete those accounts from Duo Mobile on the old device, or delete the app on the old device.
By default, Duo authentication, telephony, and administrator action log entries are retained indefinitely. The "Logging" settings allow you to specify a retention period by selecting the Delete logs after _ days option and entering the maximum number of days to retain the log entries. When this option is set to delete, log entries older than the given number of days are purged. This setting becomes effective as soon as you save it; immediately deleting log information beyond the days specified.
The "Admin Password Policy" settings define the length and strength requirements for Duo administrative user passwords. The default setting for new Duo customers requires administrator passwords with a minimum length of 12 or more characters. Existing Duo customers who currently have the minimum password length set to a value less than 12 may increase this value incrementally, but once increased may not decrease it.
To change the minimum password length to a value greater than the default, enter the desired number of characters in the Minimum length box.
To enforce password complexity, next to the Require at least one option select any combination of uppercase letter, lowercase letter, number, or special character. We recommend enabling these complexity requirements to ensure administrators choose strong passwords.